CVE-2017-15095

🗓️ 06 Feb 2018 15:00:00Reported by redhatType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 288 Views🌐 WEB

A deserialization flaw in jackson-databind allows code execution via crafted input

Reporter	Title	Published	Views	Family All 182
IBM Security Bulletins	Security Bulletin: Vulnerabilities in jackson-databind affect IBM watsonx.data	18 Sep 202416:36	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime affect IBM® Intelligent Operations Center products	21 Dec 201811:10	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020	1 Mar 202212:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium Insights is affected by Components with known vulnerabilities	6 Oct 202112:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Jackson databind	2 Jun 202123:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities	13 Aug 202122:15	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)	12 Jan 202114:42	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Cognos Business Intelligence affect Rational Insight	23 Aug 201819:17	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Cognos Business Intelligence affect Rational Reporting for Development Intelligence	23 Aug 201819:15	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in jackson-databind affect IBM watsonx.data	4 Feb 202518:12	–	ibm

NVD

Vulners

Node

fasterxml jackson-databindRange2.0.0–2.6.7.2

fasterxml jackson-databindRange2.7.0–2.7.9.2

fasterxml jackson-databindRange2.8.0–2.8.10

fasterxml jackson-databindMatch2.9.0-

fasterxml jackson-databindMatch2.9.0prerelease1

fasterxml jackson-databindMatch2.9.0prerelease2

fasterxml jackson-databindMatch2.9.0prerelease3

fasterxml jackson-databindMatch2.9.0prerelease4

Node

debian debian_linuxMatch8.0

debian debian_linuxMatch9.0

Node

redhat openshift_container_platformMatch3.11

redhat satelliteMatch6.4

redhat satellite_capsuleMatch6.4

Node

redhat openshift_container_platformMatch4.1

AND

redhat enterprise_linuxMatch7.0

Node

redhat jboss_enterprise_application_platformMatch6.0.0

redhat jboss_enterprise_application_platformMatch6.4.0

AND

redhat enterprise_linuxMatch5.0

redhat enterprise_linuxMatch6.0

redhat enterprise_linuxMatch7.0

Node

redhat jboss_enterprise_application_platformMatch7.1.0

AND

redhat enterprise_linuxMatch6.0

redhat enterprise_linuxMatch7.0

Node

netapp oncommand_balanceMatch-

netapp oncommand_performance_managerMatch-linux

netapp oncommand_performance_managerMatch-vmware_vsphere

netapp oncommand_shiftMatch-

netapp snapcenterMatch-

Node

oracle banking_platformMatch2.5.0

oracle banking_platformMatch2.6.0

oracle banking_platformMatch2.6.1

oracle banking_platformMatch2.6.2

oracle clusterwareMatch12.1.0.2.0

oracle communications_billing_and_revenue_managementMatch7.5

oracle communications_billing_and_revenue_managementMatch12.0

oracle communications_diameter_signaling_routerRange<8.3

oracle communications_instant_messaging_serverMatch10.0.1.2.0

oracle database_serverMatch12.2.0.1

oracle database_serverMatch18.1

oracle enterprise_manager_for_virtualizationMatch13.2.2

oracle enterprise_manager_for_virtualizationMatch13.2.3

oracle enterprise_manager_for_virtualizationMatch13.3.1

oracle financial_services_analytical_applications_infrastructureMatch8.0.2

oracle financial_services_analytical_applications_infrastructureMatch8.0.3

oracle financial_services_analytical_applications_infrastructureMatch8.0.4

oracle financial_services_analytical_applications_infrastructureMatch8.0.5

oracle financial_services_analytical_applications_infrastructureMatch8.0.6

oracle financial_services_analytical_applications_infrastructureMatch8.0.7

oracle global_lifecycle_management_opatchautoRange<12.2.0.1.14

oracle identity_managerMatch11.1.2.3.0

oracle identity_managerMatch12.2.1.3.0

oracle jd_edwards_enterpriseone_toolsMatch9.2

oracle primavera_unifierRange17.1–17.12

oracle primavera_unifierMatch16.1

oracle primavera_unifierMatch16.2

oracle primavera_unifierMatch18.8

oracle utilities_advanced_spatial_and_operational_analyticsMatch2.7.0.1

oracle webcenter_portalMatch12.2.1.3.0

[
  {
    "product": "jackson-databind",
    "vendor": "FasterXML",
    "versions": [
      {
        "status": "affected",
        "version": "before 2.8.10"
      },
      {
        "status": "affected",
        "version": "before 2.9.1"
      }
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2019:3892
securityfocus	www.securityfocus.com/bid/103880
securitytracker	www.securitytracker.com/id/1039769
lists	www.lists.debian.org/debian-lts-announce/2020/01/msg00037.html
access	www.access.redhat.com/errata/RHSA-2018:0480
access	www.access.redhat.com/errata/RHSA-2018:0478
debian	www.debian.org/security/2017/dsa-4037
access	www.access.redhat.com/errata/RHSA-2018:1449
github	www.github.com/FasterXML/jackson-databind/issues/1737
access	www.access.redhat.com/errata/RHSA-2018:1451

Parameter	Position	Path	Description	CWE
@type	path	/api/v1/process	Jackson deserialization RCE payload endpoint vulnerable to polymorphic deserialization via @type in JSON payload.	CWE-502, CWE-184
@type	path	/api/rest/v1.4.0/logs/runtime	Jackson deserialization RCE payload endpoint vulnerable to polymorphic deserialization via @type in JSON payload.	CWE-502, CWE-184
@type	path	/api/endpoint	Jackson deserialization RCE payload endpoint vulnerable to polymorphic deserialization via @type in JSON payload.	CWE-502, CWE-184

21 Nov 2024 03:14Current

9.2High risk

Vulners AI Score9.2

CVSS 27.5

CVSS 3.19.8

EPSS0.07891